A more (or less) new form of exploit has just been published [1]. By appending a Java-Archive (JAR) file to an Image file (JPG/GIF) a hybrid file can be created which will validate as both a valid JAR and a valid image.
The file can be uploaded to an image host and included as a Java-Applet on any page on any host. The applet will have privileges to connect back to the originating host and operate with all the account holders privileges.
Commons seems to be a target for such an attack. Upload is easy, although I'm not to sure about the damage potential. I suppose if an administrators account would get compromised an applet could be manufactured to mass delete content or mass block users.
Anyhow. I was just surprised that nobody posted this already.
[1] http://www.infoworld.com/article/08/08/01/A_photo_that_can_steal_your_online...